Why testing user behaviour is crucial to your cyber security

To establish a baseline of user behaviour, organisations must be able to check how their employees perform when receiving a threat.

Cyberattacks and security breaches have become so widespread that companies are now spending billions of dollars collectively to deal with these threats. Falling victim to attacks such as an advanced persistent threat or a malware attack can cause irreparable damage to their businesses and reputations. So, organisations, regardless of size, should now view security spending as an investment.

However, no matter how much companies spend on security, their investment can become moot if they fail to address vulnerabilities from within. The human factor remains a weak link in any security strategy, as human error can bring malicious players into the system, which is why, according to Kaspersky, 90% of corporate data security breach incidences in organisations are still mainly caused by human error.

Unfortunately, dealing with the human factor can be quite a challenge. In order to remedy this, companies must first know how end-users actually behave, what information employees need and where they aren’t as cautious as need be. Security solutions do get tested through penetration tests and attack simulations so why not end-user behaviour as well? Fortunately, breach and attack simulation (BAS) solutions are now integrating social engineering attack tests into their platforms which allow organisations to check how their members react to such threats.

Social engineering attacks are thriving

Hackers know that users are easily exploitable, so they use fabricated emails and websites to try and fool users into believing that they are accessing legitimate web pages or downloading safe attachments. Those that fall for these tricks are likely to give up sensitive information such as access credentials or run malware that can give hackers access into systems.

How to fix the CSRF vulnerability in popular web frameworks?

Cross-site request forgery (CSRF) is no longer a part of the top OWASP threats so it’s pretty safe to ignore it, right? Think again

The continued pervasiveness of phishing attacks underscores this. Microsoft reported an increase of 250% in phishing emails in the billions of emails processed by Office 365. Out-of-the-box email protections appear to struggle to adequately screen out all of these emails with a quarter of these emails bypassing Office 365’s security. This means that end-users must still serve as a crucial line-of-defence from phishing attacks to prevent attacks.

Users must be able to identify malicious emails, links and attachments. Attackers, however, are making this quite difficult as they now have means to customise and even personalise phishing emails to resemble official correspondence.

Ways to test user behaviour

To establish a baseline of user behaviour, organisations must be able to check how their employees perform when receiving a threat.

Fortunately, BAS platforms have now started to incorporate tests on everything from simple malware and phishing attempts to more complicated data Tests can be configured to send out dummy emails containing test payloads and links. BAS solution Cymulate, for instance, even provides customisable templates to enhance the illusion of dummy emails and make them look as legitimate as possible. The platform then tracks how many users open and click on these dummy emails and provide statistics and even identify users who clicked on such emails.

Since these are simulated attacks, they don’t cause any harm to the infrastructure but gives organisations an accurate picture of how their members actually behave when faced with phishing attacks.

Education is key

By looking at the results of these simulated attacks, companies could then identify the extent by which they have to invest in cybersecurity training, and what areas are the ones needing the most work. Awareness training has become key to promote a security-first mindset.

This may include educating them on how to check email headers, verify domains, and scrutinise links. Corrective actions such as reporting suspicious emails and deleting them must also be included. Scanning attachments must also become second nature to users.

Cyber security scores: a new standard in mitigating risk?

Andrew Martin, founder and CEO of DynaRisk, explains how cyber security scores are improving employee engagement for enterprises

Even grammar and writing style can be indicators of phishing emails so encouraging users to nitpick the actual content can help. Many attacks originate from non-English speaking countries so bad grammar in supposedly official correspondence from reputable companies can often indicate that an email is a phishing attempt.

Aside from awareness training, solutions such as additional security and email and browser client plug-ins can be used to help employees screen links and emails for attacks.

Encouraging awareness

Addressing human-caused vulnerabilities can be tricky since it requires changing mindsets and behaviour habits. But for cybersecurity to be truly effective, organisations must be able to develop the right attitude in their workforces. Companies must teach their employees to be constantly on the alert for security concerns. All it takes is one slip up for a massive cyberattack to be successful and no organisation would want to fall victim to one.

Related Topics

Testing